Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

What is Ransom Cartel? A ransomware gang focused on reputational damage | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Ransom Cartel, a ransomware-as-a-service (RaaS) operation, has stepped up its attacks over the past year after the disbanding of prominent gangs such as REvil and Conti. Believed to have launched in December 2021, Ransom Cartel has made victims of organizations from among the education, manufacturing, utilities, and energy sectors with aggressive malware and tactics that resemble those used by REvil.

The group employs double extortion, combining data encryption with data theft and subsequent threats to release stolen information on their data leak website. However, the group goes one step further and threatens to send sensitive information to the victim’s partners, competitors, and news outlets in an attempt to inflict as much reputational damage as possible.

“We believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments,” researchers from Palo Alto Networks said in an analysis of the ransomware code. “This suggests there was a relationship between the groups at some point, though it may not have been recent.”

Initial access and lateral movement toolset

Ransom Cartel attackers make heavy use of stolen credentials for gaining initial access to victim organizations. This includes credentials for various services that are accessible from the internet, remote desktop protocol (RDP), secure shell protocol (SSH), and virtual private networks (VPNs). The group’s affiliates –hackers who distribute the ransomware for a hefty cut of the ransom payments – obtain these credentials themselves or acquire them from initial access brokers on the underground market.

“Initial access brokers are actors who offer to sell compromised network access,” Palo Alto Networks’ researchers said. “Their motivation is not to carry out cyberattacks themselves but rather to sell the access to other threat actors. Due to the profitability of ransomware, these brokers likely have working relationships with RaaS groups based on the amount they are willing to pay. Unit 42 has seen evidence that Ransom Cartel has relied on this type of service to gain initial access for ransomware deployment.”

Once inside a corporate network, the goal of Ransom Cartel attackers is to steal additional credentials and gain access to Windows and Linux VMWare ESXi servers. The attackers were seen using an open-source tool called DonPAPI that can locate and dump credentials stored using the Windows Data Protection API (DPAPI).

Copyright © 2022 IDG Communications, Inc.


Click Here For The Original Source.

National Cyber Security